Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place! |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
06-16-2014, 03:54 PM
|
#1
|
Member
Registered: Aug 2013
Location: Plymouth, UK
Distribution: SolydK
Posts: 45
Rep:
|
Help setting up openVPN server
Hello guys, I know there is few topics about this, but reading them, I couldn't use anything I'd understand, so creating new one.
I am going away from home and I'd like to access my home server like I'd be physicaly connected to my home network. Past 2 days I spent googling and setting up openVPN server on my home server, but I don't get much success so far. I must admit I don't understand everything around openVPN, so I came to ask you.
My goal:
Connect my laptop from outside of my home network to my home network using openVPN server installed on my home server and use home network resources, mainly samba shares and my home internet IP address. Also, is it possible to only get openVPN-server's public IP address, but use internet connection of the device connecting to it?
I've generated all keys and certificates, TLS not working yet, so I commented that out in server.conf, will make that working after I'll be able to get everything working the way I want.
I can connect to the server, and ping it from laptop, but DNS is not working, I can ping it only using it's IP address.
My home network:
DHCP server + DNS server 192.168.0.1 (router)
Home Server 192.168.0.200 (running Debian 7.0)
Laptop DHCP assigned (usually 192.168.0.14)
my server.conf:
Code:
port 443
proto udp
dev tun
ca ca.crt
cert myserver.crt
key myserver.key
dh dh1024.pem
#tls-server
#tls-auth ta.key 0
ifconfig-pool-persist ipp.txt
server 10.1.0.0 255.255.255.0
ifconfig 10.1.0.1 255.255.255.0
push "dhcp-option DNS 192.168.0.1"
push "route 192.168.0.0 255.255.255.0 10.1.0.1"
client-config-dir ccd
route 192.168.1.0 255.255.255.0
route 192.168.2.0 255.255.255.0
client-to-client
push “route 192.168.1.0 255.255.255.0″
push “route 192.168.2.0 255.255.255.0″
keepalive 10 120
comp-lzo
persist-key
persist-tun
log /var/log/openvpn-server.log
status /var/log/openvpn-status.log
verb 6
If it looks messed up, it's because I followed multiple tutorials and I couldn't get any of them working, so I started to play with it and now I can at least connect, but that's about it.
Can anyone help please?
|
|
|
06-16-2014, 04:45 PM
|
#2
|
Senior Member
Registered: Feb 2011
Location: Massachusetts, USA
Distribution: Fedora
Posts: 4,195
|
You have a choice to make when setting up a VPN that seems to be poorly explained in the documentation. Do you want your remote laptop to be:
a) Bridged: looks like it is connected directly to your home network. Uses DHCP and DNS of the home net. All packets go through the tunnel and back out through the home gateway, so browsing will be slow. This is a layer 2 VPN and uses a "tap" interface on the server.
b) Routed: has two ports on the laptop. Those destined for the home network go through the VPN to a "tun" interface on the server, but you can route (layer 3) other traffic through the direct connection to the internet. This would make browsing faster, but doesn't give you the protection of going through your home server (and firewall). In this case, the laptop is NOT on the same subnet as the home network and will not see broadcast packets - so no DHCP, network neighborhood, browsing samba shares, home DNS, etc. You can still do most things by typing IP addresses or adding names+IPs to your hosts table.
|
|
|
06-16-2014, 05:39 PM
|
#3
|
Member
Registered: Aug 2013
Location: Plymouth, UK
Distribution: SolydK
Posts: 45
Original Poster
Rep:
|
thank you for a reply smallpond
so, if I understand, using the "tun" method I should be able to do those things I described in first post, but basically, I'll loose home DNS servicing but I need to add home machines to the hosts table (on laptop?) and everything is fine ...
or should I come back to ppptp? There, it was easy to configure range of "home" IP addresses and it "just" worked. My ISP at home is not blocking ppptp port (1173 I think it is? ... can't remember right now), and as it is "just" for my private use (thus 5 star security is not really needed), is there a big advantage of using openVPN over ppptp?
EDIT: I just went googling again and found this: http://openvpn.net/index.php/open-so...wto.html#scope
It's late night here, so my brain is not running full speed, but I reckon that's what I'm looking for, but I must admit that linux networking is my weak point so can you please have a quick look and tell me wheter I'm going the right direction?
Last edited by esso82; 06-16-2014 at 05:48 PM.
|
|
|
06-16-2014, 06:17 PM
|
#4
|
LQ Guru
Registered: Oct 2003
Location: Bonaire, Leeuwarden
Distribution: Debian /Jessie/Stretch/Sid, Linux Mint DE
Posts: 5,195
|
I think you are missing something.
You set up a VPN server at home. In order to connect to that server you have to be able to reach it from outside your LAN. That is, reach it from the public internet.
You need the public IP address of your internet connection. I assume you have it because you said you were using pptp. If you don't have it, you have to find it (whatsmyip.com). If it is not fixed you need to rely on a service like dyndns.
Secondly, if you know your IP address you need to be sure your modem (which usually holds the firewall) forwards any incoming connection to your OpenVPN server. That is port 1194 which need to be forwarded through your firewall.
jlinkels
|
|
|
06-16-2014, 06:24 PM
|
#5
|
Member
Registered: Aug 2013
Location: Plymouth, UK
Distribution: SolydK
Posts: 45
Original Poster
Rep:
|
thank you jlnkels for your answer
yes, I use no-ip.org to catch my dynamic public IP
also, I forwarded UDP 443 on my router to look at the openVPN server host and added iptables rule to allow tun traffic
what looks weird to me is, that if I ping 192.16.0.200 (openVPN server) - it's a success,but pinging 192.168.0.1 (router) returns all packets dropped. Also I can't browse internet with the current setup.
|
|
|
06-17-2014, 12:15 PM
|
#6
|
Senior Member
Registered: Feb 2011
Location: Massachusetts, USA
Distribution: Fedora
Posts: 4,195
|
Your OpenVPN server also needs to be routing packets. Check /proc/sys/net/ipv4/ip_forward
|
|
|
06-17-2014, 01:47 PM
|
#7
|
Member
Registered: Aug 2013
Location: Plymouth, UK
Distribution: SolydK
Posts: 45
Original Poster
Rep:
|
yes it's allowed, /proc/sys/net/ipv4/ip_forward returns net.ipv4.ip_forward = 1
I think you didn't understand what I need help with. All I need is get someone to write those "route" and "push route" directives for my case. i.e: is this correct?
Code:
server 10.8.0.0 255.255.255.0
ifconfig 10.8.0.1 255.255.255.0
push "dhcp-option DNS 192.168.0.1"
push "route 192.168.0.0 255.255.255.0 10.1.0.1"
I roughly understand that when I, say, ping a machine (192.168.0.15) on server's side network from outside using the VPN tunnel, the packet goes from my laptop (10.8.0.2) via the tunnel to the openVPN server (10.8.0.1 / 192.168.0.200-home network) and there the magic happens. Does the packet's destination IP translate to the server's side network? (192.168.0.15) Or do I need to somehow set up the router as well? When the machine on server's side network answers, where does the packet go? To the gateway? (router - 192.168.0.1) How does the gateway know that packet for 192.168.0.10 should be routed to 192.168.0.200 and that machine will know where to send it?
And this is what I don't understand - how exactly it works. And mainly, what do I put into server.conf to make it work that way?
----------------------------------------------------------------
EDIT: I played around with it now, and it still confuses me, this is server.conf I use now:
Code:
port 443
proto udp
dev tun
ca ca.crt
cert myserver.crt
key myserver.key
dh dh1024.pem
#tls-server
#tls-auth ta.key 0
ifconfig-pool-persist ipp.txt
server 10.8.0.0 255.255.255.0
push "dhcp-option DNS 192.168.0.1"
push "route 192.168.0.0 255.255.255.0"
client-config-dir ccd
push "redirect-gateway def1"
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
log /var/log/openvpn-daemon.log
status /var/log/openvpn-status.log
verb 6
ccd/myclient contains single line:
Code:
192.168.0.15 255.255.255.0
and this is what I get: WHY 192.168.43.195?
Code:
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.6 P-t-P:10.8.0.5 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1542 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:49 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:2832 (2.7 KiB)
wlan0 Link encap:Ethernet HWaddr 0c:84:dc:88:0f:b5
inet addr:192.168.43.195 Bcast:192.168.43.255 Mask:255.255.255.0
inet6 addr: fe80::e84:dcff:fe88:fb5/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:13297 errors:0 dropped:0 overruns:0 frame:0
TX packets:13370 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:10435229 (9.9 MiB) TX bytes:2412493 (2.3 MiB)
EDIT AGAIN: ahh ... 192.168.43.195 is IP assigned from my phone, atm I'm connected to internet via phone
Last edited by esso82; 06-17-2014 at 02:34 PM.
|
|
|
06-18-2014, 02:28 AM
|
#8
|
Member
Registered: Aug 2013
Location: Plymouth, UK
Distribution: SolydK
Posts: 45
Original Poster
Rep:
|
OK, I was reading some more about networking generally and understood that in order to run openVPN server on other machine than the gateway itself (in "tun" mode), one must set a static route for the virtual subnet on the gateway. Unfortunately, my router (BT Home Hub 3) doesn't have such option, so I give up for now and when I'll upgrade the router, then I'll try again. I know that I could turn my home server into DNS server, but it's not running 24/7 just yet and I don't have much free time to play around with it.
At least, I understand the concept of network routing and vpn now.
Thank you everyone for your answers.
|
|
|
06-19-2014, 07:14 PM
|
#9
|
LQ Newbie
Registered: Jun 2014
Posts: 2
Rep:
|
|
|
|
All times are GMT -5. The time now is 05:03 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|